Studio Developer Manual / Version 2406.1
Table Of Contents
The concrete configuration of the SecurityFilterChain
will of course depend heavily on your
SSO provider, but there are also some mandatory and recommended Studio-specific settings.
The following example has been created for an OAuth2 provider, and we will go through it step-by-step.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http,
RequestMatcher unauthenticatedRequestMatcher,
RequestMatcher authenticatedRequestMatcher,
SessionFixationProtectionStrategy sessionFixationProtectionStrategy,
RequestMatcher csrfIgnoringRequestMatcher,
RequestMatcher logoutRequestMatcher,
CapLogoutHandler capLogoutHandler,
LogoutSuccessHandler logoutSuccessHandler,
AccessDeniedHandler accessDeniedHandler) throws Exception {
return http
.oauth2Login()
.and()
.authorizeHttpRequests()
.requestMatchers(unauthenticatedRequestMatcher).permitAll()
.requestMatchers(authenticatedRequestMatcher).authenticated()
.and()
.sessionManagement()
.sessionAuthenticationStrategy(sessionFixationProtectionStrategy)
.and()
.csrf()
.ignoringRequestMatchers(csrfIgnoringRequestMatcher)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.and()
.logout()
.logoutRequestMatcher(logoutRequestMatcher)
.addLogoutHandler(capLogoutHandler)
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.headers()
.and()
.build();
}
There are different styles of writing such a configuration. In this example we create several Configurers
on the HttpSecurity bean like e.g. logout()
, customize their behavior by calling methods on them and
then get back to the HttpSecurity bean with and()
to continue with the next Configurer
.
The first configurer oauth2Login()
adds support for authentication using OAuth2 and is just an example.
Your SSO provider might require different configuration.
authorizeHttpRequests()
and the following requestMatchers
configure which requests require
authentication in the first place. Generally only the requests to /api/**
are protected, but there
are also some paths below that need to be accessible without authentication.
To this end you can use the predefined RequestMatchers unauthenticatedRequestMatcher
and authenticatedRequestMatcher
.
sessionManagement()
and csrf()
are used to configure protection against session fixation
attacks and CSRF with predefined strategies for Studio.
exceptionHandling()
: The predefined accessDeniedHandler
is a
com.coremedia.rest.security.config.SimpleLogoutAccessDeniedHandler
takes care of correct
redirection if the request is a request to the logout url. Other requests receive a 403 response.
logout()
: The predefined capLogoutHandler
and logoutSuccessHandler
take care of
closing a user's CapSession
and correct redirection on logout.
The predefined logoutRequestMatcher
is configured for path /logout
and method POST
and is also used to configure the accessDeniedHandler
.
headers()
adds some recommended security headers to the response.